subject:"RE\: crypto maps and IPSEC tunnels \[7\:71341\]"

RE: crypto maps and IPSEC tunnels [7:71341]

2003-06-25 Thread ian

Thanks for the reply, but this doesnt work
I have the more specific acl and even created a LOG to syslog and its 
matching correctly but doesnt work

any ideas






On Wed, 2003-06-25 at 15:35, Robert Perez wrote:
> I would do your more specific ACL entry and make sure your inverted mask is
> correct such as 192.1.1.0 0.0.0.255.  Once you do that then issue the
> following commands to reset the tunnel and force a renegotiation.  
> 
> Clear crypto ipsec sa
> clear crypto isakmp sa
> 
> That should do it...
> 
> -Original Message-
> From: ian williams [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, June 25, 2003 8:33 AM
> To: [EMAIL PROTECTED]
> Subject: crypto maps and IPSEC tunnels [7:71341]
> 
> 
> Hi
> 
> I have just setup a IPSEC tunnel between to routers and tunneling a source
> address of 192.168.50.1 going to a host on router B 172.x.x.x./24
Everything
> works with the current configs given below. But I want to change the acl
101
> on router B from using a class A mask to something like a class C mask or
> even a host address. I have changed the ACL 101 and even added a deny ip
any
> any log to the end to see what is being dropped. The VPN tunnel doesnt come
> up unless I use a class A mask like showen below. I know this is an ACL but
> is being used for matching traffic, do they work differently and dont
> support host address ??
> 
> Thanks
> 
> Ian
> 
> 
> 
> Here is the config of router A
> 
> 
> !
> crypto isakmp policy 10
>  encr 3des
>  hash md5
>  authentication pre-share
> crypto isakmp key cisco address 10.10.10.10
> !
> !
> crypto ipsec transform-set TEST esp-3des
> !
> crypto map cisco 1 ipsec-isakmp
>  set peer 10.10.10.10
>  set transform-set TEST
>  match address 101
> 
> access-list 101 permit ip 192.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
> access-list 101 permit ip 192.0.0.0 0.255.255.255 172.0.0.0 0.255.255.255
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Here is the config router B
> 
> crypto isakmp policy 10
>  encr 3des
>  hash md5
>  authentication pre-share
> crypto isakmp key password address 10.10.10.20
> !
> !
> crypto ipsec transform-set TEST esp-3des
> !
> crypto map cisco 1 ipsec-isakmp
>  set peer 10.10.10.20
>  set transform-set TEST
>  match address 101
> 
> access-list 101 permit ip 172.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255
> access-list 101 permit ip host 10.10.10.10 host 10.10.10.20




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=71353&t=71341
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: crypto maps and IPSEC tunnels [7:71341]

2003-06-25 Thread Robert Perez

I would do your more specific ACL entry and make sure your inverted mask is
correct such as 192.1.1.0 0.0.0.255.  Once you do that then issue the
following commands to reset the tunnel and force a renegotiation.  

Clear crypto ipsec sa
clear crypto isakmp sa

That should do it...

-Original Message-
From: ian williams [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2003 8:33 AM
To: [EMAIL PROTECTED]
Subject: crypto maps and IPSEC tunnels [7:71341]


Hi

I have just setup a IPSEC tunnel between to routers and tunneling a source
address of 192.168.50.1 going to a host on router B 172.x.x.x./24 Everything
works with the current configs given below. But I want to change the acl 101
on router B from using a class A mask to something like a class C mask or
even a host address. I have changed the ACL 101 and even added a deny ip any
any log to the end to see what is being dropped. The VPN tunnel doesnt come
up unless I use a class A mask like showen below. I know this is an ACL but
is being used for matching traffic, do they work differently and dont
support host address ??

Thanks

Ian



Here is the config of router A


!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key cisco address 10.10.10.10
!
!
crypto ipsec transform-set TEST esp-3des
!
crypto map cisco 1 ipsec-isakmp
 set peer 10.10.10.10
 set transform-set TEST
 match address 101

access-list 101 permit ip 192.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 192.0.0.0 0.255.255.255 172.0.0.0 0.255.255.255














Here is the config router B

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key password address 10.10.10.20
!
!
crypto ipsec transform-set TEST esp-3des
!
crypto map cisco 1 ipsec-isakmp
 set peer 10.10.10.20
 set transform-set TEST
 match address 101

access-list 101 permit ip 172.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255
access-list 101 permit ip host 10.10.10.10 host 10.10.10.20




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=71352&t=71341
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: crypto maps and IPSEC tunnels [7:71341]

RE: crypto maps and IPSEC tunnels [7:71341]

2 matches

Site Navigation

Mail list logo

Footer information